[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1-MAILINGLIST Digest - 3 Dec 2001 to 4 Dec 2001 (#2001-63)
I'll see if I can answer some questions... 1) There are known problems with LinkSys routers. Make sure firmware is upgraded and it is allowing UDP port 500 for the IKE key exchange. We have had some users end up having to swap hardware. 2) I'm pretty sure Hybrid mode doesn't work unless you have the Cert. Authority working. In addition to the "fw internalca certify" command, you also need the "fw internalca create" command to create the CA. Once the CA is created, you can "certify" each FW module. In your example, trek is the name of your firewall, while "o=boston, c=us" are just organization and container labels. You can change it to location and city or country ("o=Atlanta, c=US"). 3) The ":dns_xlate (true)" and ":dns_encrypt (true)" statements go in the userc.C file on the SR client. You'll need to create $FWDIR/conf/dnsinfo.C and modify $FWDIR/lib/crypt.def as well. This is only if you want to use Encrypted/Split DNS (DNS from your office network rather than from a public DNS server on the Internet. Doug Johnson Internet Security Systems Sr. Network Engineer ------------------------------ Date: Tue, 4 Dec 2001 12:11:52 -0800 From: Alan Choyna <[email protected]> Subject: Securemote not working. Should l use Hybrid IKE? Currently from my W2K PC behind my Linksys router (most current firmware) l can update the site with the current key successfully using securemote (build 4188) from our Nokia IP440 (version 4.1 SP3). But whenever l try to use telnet, FTP or Timbuktu (these are all l've tried so far) using the internal ip on our internal network behind our Nokia IP440 l authenticate successfully, but then nothing happens, it seems to hang and there are no messages in the log file after the successfull authentication message. I am using IKE only with UDP encapsulation and support IKE over TCP options. FW-1 is also configured to use IKE. I have set all of my encryption and FW1 profile settings to log everything. I am running on a 192.168.5.* network behind the linksys, and a our internal network behind the IP440 is 1192.68.50.*, so l am sure it's not the ip getting it confused. I have also set hybrid Mode Securemote authentication on the firewall object, but have not yet set up the Certificate authority. Could that be confusing it? my FW rule is: secureremote@any securegroup any client encrypt log long. I have seen that there are some things l could do, like use hybrid IKE. I was told to use this because we are running securemote from clients behind a Linksys router using DSL (no static ip address), l was advised that we should be using hybrid mode IKE authentication. To set up the certificate authority l telnet to the ip440 (we don't have a seperate management station), and CD to $FWDIR/bin, stop the firewall and then use the following command: fw internalca certify -o trek "o=boston, c=us" What do the "o=boston" and "c=us" options mean? should l be changing these values to something for our site? Is "boston" a remote user? Should l do this process for each user? I have also seen people recommend to add Did you add: :dns_xlate (true) :dns_encrypt (true) to the userc.C file on the firewall. Where do l insert it? Does anything have to be done to the objects.C file? Sorry for all the questions, but l really want to get it right soon, as l'm getting management pressure. Regards, Alan. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|